Who are we?
Davy Engineering Ltd. is a “data controller” which means that we are responsible for deciding how we hold and use personal information about you. We are registered with the Information Commissioner’s Office.
Davy Engineering Ltd. has its registered office at Stirling Road, Shirley, West Midlands, B90 4NE and can be contacted on 0121 711 4060.
We collect the following personal customer information:
How do we collect this information?
We receive information about you when we provide you with goods or services. This includes making enquiries or placing orders via telephone, email, fax or online. Information can also be gathered from the public domain e.g. from your own website.
Purpose of collecting customer information details
Here at Davy Engineering we take your privacy very seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us.
Personal information is used in ways our customers would reasonably expect and which have a minimal privacy impact. If we plan to use the personal data collected for a new purpose, we update this policy and communicate the changes to individuals before starting any new processing.
Here is a list of the ways we may use your personal information:
Our Reasons / Explanation
Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Non Contractual Customer information is processed to administer accounts e.g. credit card details.
Processing of orders using contact information etc.
Where possible, we avoid making consent a precondition of service.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
To process and deliver goods and services you have purchases from us. I.e. fulfilling a contract.
To manage payments, fees and charges. To register you as a new customer.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Managing customer accounts / providing services. Keeping our records up to date. Detect, investigate and report financial crime
Complying with Health and Safety Obligations
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
We may be asked to complete confidential Government questionnaires – e.g. National Office of Statistics
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Data is used in ways our customers, suppliers and employees would reasonably expect and which have a minimal privacy impact. For example, using delivery addresses when dispatching goods. Demand forecasting – we use information about sales figures to help us respond to demand, ensuring we have the correct stock in place for our customers.
Notifying customers about additional products that they are likely to use. This is done with legitimate interests in mind and is normally the result of customer relationships being developed.
Setting up an account.
Maintaining network and data security helps us to maintain the safety and confidentiality of your data.
To collect and recover sums of money owed to us.
We also process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us.
Sharing Customer Data with Third Parties
We may provide some information to third parties but only if it is necessary to provide our product / service or to deal with your request. For example:
Anyone we share your data with may only use it in accordance with this privacy notice and is required to take appropriate security and organisational measures to protect your data
How long do we keep customer data?
We only retain your data as long as is necessary for the purpose which we collected it for. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Customer and Employee Rights
Personal data is protected by legal rights, which include your rights to object to our processing of your personal data; request that your personal data is erased or corrected; request access to your personal data.
Right of access – to request access to your personal information and information about how we process it Information held on customers and employees can be made available within two working days. It will be delivered by a secure encrypted email unless otherwise stated by the customer.
Right to rectification – to have your personal information corrected if it is inaccurate and to have incomplete personal information completed
If any information we hold is inaccurate our customers or employees can make a request for rectification verbally or in writing. We will respond to any request without delay and at least within one month of receipt.
As a business we also conduct regular data quality reviews of systems and manual records, to ensure the information continues to be adequate for the purposes we are processing for.
Right to erasure – to have your personal information erased
If we are requested to destroy data held on our system we will delete this information whereby it cannot be recovered (a certificate of destruction can be provided). We use a third party who are BSIA accredited.
Right to restriction of processing – to restrict processing of your personal information
Customers and employees can make a request verbally or in writing. We then verify the identity of the person making the request, using “reasonable means” and then respond to the request without delay and at least within one month of receipt.
Right to data portability – to electronically move, copy or transfer your personal information in a standard form Customers and employees can obtain and reuse their personal data for their own purposes across different services by making a verbal or written request.
Right to object – to object to processing of your personal data
Customers and employees can object to the processing of their personal data in certain circumstances. Customers can make a request verbally or in writing and we will respond to the request without delay and at least within one month of receipt
Rights with regards to automated individual decision making, including profiling – rights relating to automated decision makings, including profiling
We safeguard against the risk that potentially damaging decisions is taken without human intervention during all of our processes.
Customers and employees can request that they are not subject to an automated decision verbally and in writing. We will then respond to the request without delay and at least within one month of receipt
Retention and Disposal of Data
We have a process to dispose of hardware, backup tapes, removable media, hard drives, waste paper and any other types of media that hold data. We use a third party they can provide a certificate of destruction.
Data is not held for any time period longer than necessary and individuals can request for erasure verbally or in writing. We respond to any request without delay and at least one month of receipt.
Our full ‘Retention Policy’ is available upon request.
Other Confidential Data and Assurances
Personal Data Held
This information is only shared with our Accountant and the Pension PAYE Company.
This data is held in a private locked filing cabinet.
Limited details may be shared with our Third Party couriers for example, customer’s name, address and contact details. We do not share or sell information with Third Parties for any other reason.
This information is held on our secure computer system and occasionally in private filing cabinets.
Method of Communication
Where personal data needs to be sent out externally we use secure encrypted emails.
All employees are able to view the information we hold on them by simply asking.
Information held on customers is made available within two working days. It will be delivered by a secure encrypted email unless otherwise stated by the customer.
Please see ‘Customer and Employee Rights’ in previous section for additional information.
Data Breach Prevention
Third Party Subcontractors
Firewall Defense System
Our internal networks are protected with an industrial grade WatchGuard Firewall product. The Firewall enables us to detect and monitor for any security breaches.
Anti-Spam / Anti-Virus
Our internal systems all have anti-spam / anti-virus protection in place that is updated on a daily basis. Our staff are all fully trained to be vigilant when dealing with emails. We adopt a strict ‘in doubt, delete’ policy.
In addition to our outer perimeter firewall security features, we make use of Windows security log files to monitor individual computers.
Credentials / Password Policy
Where required our computer systems are patched and updated.
We have a duty to report certain types of personal data breaches to the ICO and, in some cases, to the individuals affected.
The ICO will be notified of a breach unless it is unlikely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify those concerned directly and without undue delay. Any notifiable breach will be reported to the ICO without undue delay, no later than 72 hours after becoming aware of it. All staff are fully aware of what constitutes a breach.
We maintain records of personal data breaches, whether or not they are notifiable to the ICO. We have an internal breach reporting procedure in place.
Staff Training and Responsibility
All of our staff have signed a confidentiality agreement as part of their employment contract. Any new members of staff also adhere to this policy.
It is the policy to regularly review with the staff the company policy of the GDPR regulations.
Handling Telephone Calls
External Cold Calls
Clean Desk Policy